I tested a beta version of the Security Gateway 626 in our Real-World Labs® in Green Bay, Wis. The 626 is a 1U form factor, dual 10/100 Fast Ethernet (fiber gigabit is also available) device with two 34-GB Ultra 160 SCSI hard drives, 768 KB of RAM and an AMD K3 processor. CacheOS 5.0 offers a Cisco IOSılike CLI interface or a Java-augmented, HTML-based configuration GUI. Those familiar with Check Point Software Technologies' firewall-configuration application will be comfortable with CacheFlow's Java-based policy editor.

Redundancy is built into the proprietary OS. Configuration is stored on each drive, and if the first drive fails, the OS can boot from another. Drives and power supplies are hot-swappable so you needn't bring the unit down when replacing a drive or power unit.

Testing

The cache can act in transparent or explicit mode and is easily integrated into the network. Within five minutes of unpacking the device, I was provided with explicit proxy services for clients in the lab. CacheFlow also supports PAC (Proxy Autoconfiguration) and WPAD (Web Proxy Autodiscovery) for automatic proxy configuration from a client browser. Transparent proxying is accomplished via cookies or source IP.

CacheFlow Security Gateway Interface Click here to enlarge

Reading and Writing Cell-Phone Style

I began testing the unit by creating a rule in the policy editor to deny all traffic to a single site. Policies are edited using the policy editor or via the CLI. I don't recommend the latter: The policy language is not very intuitive. After configuration, a click of a button installs the policy on the cache. All worked as advertised.

Still, even rudimentary caches can provide this level of control. To test the content-aware facets of the Security Gateway, I created a policy that removed all active content from Web pages, including Java applets, ActiveX controls and JavaScript. After the policy was applied, I visited several sites containing active content. The pages were returned, but in place of the active content was text stating that the active content had been removed.

Security Gateway also can remove content at the object level. Individual images can be removed, the result of which is both a reduction of bandwidth usage and allegedly an increase in employee productivity. You can actually force employees to read the articles instead of look at the pretty pictures.

Not All Web Policies Are Equal

Generally, a single Web access policy cannot adequately encompass the whole organization. Some employees need little access, while others need full access. To account for this disparity, Security Gateway lets you configure Web access policies based on a variety of parameters, including IP/subnet, groups, individuals and ports.

I used NTLM and LDAP directories to provide two distinct groups of users--VIPs and everyone else--to test this. The only caveat on configuration when using NTLM is that you'll need to install a CacheFlow agent to handle communication between Microsoft AD (Active Directory) service and the cache.

Once the authentication realms are added to the Security Gateway, it is a simple process to add a Web authentication policy, then create a rule that designates what type of access is available to each group. I added a rule that prevented anyone in the Filter group from visiting a list of URLs. Then, after providing credentials to the cache that identified me as a member of that group, I tried to access one of the forbidden sites. I was denied. I closed the browser and tried to visit the same site, but this time identified myself as a member of the VIP group. I was in.

Most caches can provide authentication via LDAP, NTLM or RADIUS, but most can't provide authentication to NTLM, LDAP and RADIUS at the same time. Security Gateway can. It can determine to which realm a user should be authenticated by source IP/network or port. I configured the cache to authenticate users who accessed the proxy through Port 8080 via NTLM and those through Port 80 via LDAP, and it worked like a charm.

Protectionist Policies

Security Gateway also can provide virus scanning and content filtering via Secure Computing Corp.'s SmartFilter or Websense's Employee Internet Management. Point the Security Gateway at the appropriate servers, and you can configure rules to deny or allow traffic based on filtering categories. This feature works well, but effectiveness will depend on the thoroughness of the content-filtering software.

Vendor Information CacheFlow Security Gateway 600/6000 Series, starts at $4,995. Available: Now. CacheFlow, (888) 462-3569, (408) 220-2200; fax (408) 220-2250. www.cacheflow.com

I also configured virus-scanning services and indicated that every page and object should be scanned. I then visited a site that offers files intended to test virus-scanning software, attempted to download a couple of small viruses and was denied. What's great about a cache providing this service is that once the content and objects have been scanned, they are cached and subsequently served from the cache, saving time and bandwidth.

I fired up RadView Software's WebLoad 4.51 and created 600 virtual clients to send requests through the Security Gateway. Using only 10 percent of the CPU, the cache handled 1,000 transactions per second, serving an average of 5,000 Web objects per second. The freshness of the cache--configured to be at least 97.5 percent--stayed at 100 percent during the entire test.

Previous versions of CacheFlow's caches were on the leading edge--with their inherent distrust of cache control headers and ability to determine whether those headers were true. The new features enhance their appeal.